CVE-2025-14844 is a vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the Membership Plugin – Restrict Content for WordPress, developed by stellarwp. The issue exists in all plugin versions up to and including 3.2.16 within the function 'rcp_stripe_create_setup_intent_for_saved_card'. This function lacks proper capability checks, meaning it does not verify whether the requesting user has the necessary permissions to execute the operation. Additionally, the plugin fails to validate a user-controlled key parameter, which can be manipulated by an attacker. As a result, unauthenticated attackers can invoke this function to retrieve Stripe SetupIntent client_secret values tied to any membership. The client_secret is a sensitive token used in Stripe's payment setup process, and its exposure can lead to unauthorized payment method setups or fraud. The vulnerability is remotely exploitable over the network without any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact is primarily on confidentiality, with a high severity score of 8.2, while integrity and availability impacts are low or none. No patches or fixes are currently linked, and no known exploits have been reported in the wild, but the vulnerability poses a significant risk to websites using this plugin for membership and payment management. Attackers could leverage this flaw to compromise payment setups, potentially leading to financial fraud or data breaches involving payment information.

For European organizations, especially those operating e-commerce platforms or membership-based services using WordPress with the Membership Plugin – Restrict Content, this vulnerability presents a serious risk. The unauthorized disclosure of Stripe SetupIntent client_secret values can lead to fraudulent payment method setups, unauthorized charges, or broader compromise of payment workflows. This can result in financial losses, reputational damage, and regulatory penalties under GDPR due to exposure of payment-related data. The vulnerability's ease of exploitation without authentication increases the attack surface, making automated scanning and exploitation plausible. Organizations relying on this plugin for subscription or membership management are particularly vulnerable. The impact extends to customer trust and compliance with payment card industry standards (PCI DSS). Additionally, the lack of integrity and availability impact means attackers cannot modify or disrupt services directly but can silently exfiltrate sensitive payment setup data, which may be leveraged in further attacks or fraud schemes.

1. Immediate action should be to monitor the vendor's official channels for a security patch and apply it as soon as it becomes available. 2. Until a patch is released, implement web application firewall (WAF) rules to block or restrict access to the 'rcp_stripe_create_setup_intent_for_saved_card' endpoint or function, especially from unauthenticated users or IP addresses outside trusted ranges. 3. Conduct a thorough audit of WordPress user roles and capabilities to ensure no excessive permissions are granted that could be exploited. 4. Employ strict input validation and parameter sanitization on all plugin endpoints, particularly those handling payment-related data. 5. Enable detailed logging and monitoring of API calls related to Stripe payment setups to detect anomalous or unauthorized access attempts. 6. Consider temporarily disabling the Membership Plugin – Restrict Content if the risk outweighs operational needs until a fix is applied. 7. Educate development and security teams about this vulnerability to ensure rapid response and awareness. 8. Review Stripe account security settings, including webhook secrets and API keys, to detect any suspicious activity and rotate keys if necessary. 9. Engage with penetration testing or security assessments focused on payment processing workflows to identify any additional weaknesses.